FastAPI-based REST API for social protection data exchange. Exposes registrant, program, and membership data via OAuth 2.0 authenticated endpoints with consent-based access control. Never exposes database IDs; all identifiers use namespace URIs for global interoperability.
- OAuth 2.0 Authentication: Client credentials flow with scrypt-hashed secrets, scoped access
- Consent-Based Access Control: All reads require active consent, filtered by organization type
- External Identifiers Only: Namespace URIs for lookups, vocabulary IDs for coded values
- Source Tracking: Records data provenance per ADR-008
- Extension Registry: Domain modules register custom fields via
spp.api.extension - Batch Operations: Create/update multiple registrants per request
| Model | Description |
|---|---|
spp.api.client |
OAuth 2.0 credentials, organization verification |
spp.api.client.scope |
Resource/action permissions |
spp.api.path |
Endpoint configuration and filters |
spp.api.path.filter |
Field-level filter configurations |
spp.api.filter.preset |
Saved filter combinations |
spp.api.extension |
Domain field registry |
spp.consent.scope |
Resource types per consent |
Navigate to Registry > Configuration > API V2 for all API configuration. Available submenus:
- API Clients - Manage OAuth credentials and organization verification
- API Extensions - View registered custom field extensions
- API Paths - Configure available endpoints and static filters
- API Filters - Define queryable field filters per path
- Filter Presets - Create named filter combinations
API Client Form Tabs:
- Consent & Security - Consent requirements, legal basis, organization type verification
- Scopes - Resource/action permissions and program restrictions
- Description - Client documentation
API Extension Form Tabs:
- Fields - Registered custom fields from domain modules
- JSON Schema - Auto-generated schema for extension fields
API Path Form Tabs:
- Filters - Field-level filter configurations (inline editable)
- Presets - Saved filter combinations (inline editable)
After installing:
- Navigate to Registry > Configuration > API V2 > API Clients
- Create a new client, assign organization and organization type
- Click Verify Organization Type (requires Manager role)
- Click Regenerate Secret to view OAuth credentials
- Configure scopes via Scopes stat button or Scopes tab
API endpoints available at /api/v2/ (token endpoint:
/api/v2/token).
| Group | Access |
|---|---|
group_api_v2_viewer |
Read-only: all API configuration and consent |
group_api_v2_officer |
Read/Write: all models (no create/delete), full CRUD on consent scopes |
group_api_v2_manager |
Full CRUD: clients, scopes, paths, filters, presets, extensions; Read/Write/Create on consent (no delete) |
- Inherit
spp.api.extensionto register custom fields - Override
_get_fastapi_routers()infastapi.endpointfor custom endpoints
base, fastapi, spp_security, spp_registry,
spp_consent, spp_vocabulary, spp_programs,
spp_source_tracking
Table of contents
- Initial migration to OpenSPP2
Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed feedback.
Do not contact contributors directly about support or help with technical issues.
- OpenSPP.org
Current maintainers:
This module is part of the OpenSPP/OpenSPP2 project on GitHub.
You are welcome to contribute.